Splunk Enterprise Security

Discussions

Thread Info

How to output a single result when matching multiple results within a lookup table.

I have an application file imported to be used as a lookup table in order to set the priority on servers within Asset...

by Path Finder in

Monitoring Account Creation in Windows with High Privileges

over ES , any way to monitor windows account assigned with high privilege. I only know of EventID 4672 . What all oth...

by New Member in

Is there an Audit log that tracks changes to content in Splunk Enterprise Security?

We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track do...

by Path Finder in

Help me in creating a index.conf for new index.

I am having trouble in creating an index.conf, what could be the issue here I not getting it. check attachment, pleas...

by Path Finder in

trigger correlation rule for past event occurance

there was one event occured yesterday and we have one correlation rules against that. unfortunatley it was not trigge...

by Communicator in

Asset investigator

Dear Experts, I want to achieve below: 1- I want that when I put hostname/server name in asset investigator it ...

by Communicator in

Creating Assets csv file correlating logs from dhcp and Cisco ISE

We are creating assets inventory using different logs in Splunk. For this purpose, we first created list of “nt_host”...

by Engager in

How many resources would I need to receive 150 GB per day?

Hello team, I want to build a new SIEM using Splunk. I hope to receive between 100 and 150 GB of data per day. ...

by Path Finder in

Need assistance with ES error after upgrade from 5.2.2 to 5.3

I did upgraded my SPLUNK ES v5.2.2 to 5.3. none of the configure options are not working. Options like ES permiss...

by Communicator in

Example of "adaptive response action" execute error

Hi Splunkers, I followed the example of "adaptive response action" in this website https://dev.splunk.com/view/enterp...

by Loves-to-Learn in

Join command working

When nesting two commands using join, how can I verify if the Join command is returning the value of the field. [...

by Engager in

Wildcard for domain search

I am trying to find the domain that came in the logs but were faked to look similar for our domain. So if my domain i...

by New Member in

Splunk Enterprise Security requires a deployment client, but should I configure my ES search head as a deployment client?

I'm setting up a fresh install of Splunk Enterprise Security 4 and have a question about the deployment client requir...

by Path Finder in

How to use "nodename" in tstats

In the default ES data model "Malware", the "tag" field is extracted for the parent "Malware_Attacks", but it does no...

by New Member in

Notables are not getting created

This is a totally weird situation. I have few correlation searches for which notables are suppose to be generated ...

by New Member in

Which are the Best Recommended Splunk ES Webinars ?

Hello Splunkers, Being on a tight schedule as I cannot be watching webinars in most of my time, I would like to kn...

by Path Finder in

ERROR ConfReplicationThread - Content Length too large , csv

After extensive "googling" I didnt come to a comfortable consensus on what my next move should be. I am having bundle...

by Path Finder in

Splunk Enterprise Security upload app

Hello, I would like to upload a custom app to Splunk Enterprise Security Sandbox Cloud environment and/or is possible...

by New Member in

Meraki Syslog events to TA-meraki are not showing up in ESS

Myron, Thank you for taking the time to put into this TA. It's appears to be really useful with the way that Merak...

by Path Finder in

To detect if Local admin account has been used to logon to a system

Team, I am trying to setup a use case about To detect if Local admin account has been used to logon to a system , ...

by New Member in

Custom Bar Chart Colours Not Working

Hi, I have the following search in an ES dashboard panel to order incidents throughout the month by severity in a ...

by Explorer in

LDAP query for identities for Enterprise Security

I’m trying to populate my users with the following query. One of the issues I have is certain users don’t have the ma...

by Explorer in

Setting alias for multivalued field for ES/CIM compliance

I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a ...

by Influencer in

Correlation search - Stream events

I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending da...

by Path Finder in

Dynamically populate search dashboard after transaction

Hello, I'm trying to create a dashboard for our email logs, that allows a user to input fields like sender, recipi...

by Engager in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to output a single result when matching multiple results within a lookup table.

Monitoring Account Creation in Windows with High Privileges

Is there an Audit log that tracks changes to content in Splunk Enterprise Security?

Help me in creating a index.conf for new index.

trigger correlation rule for past event occurance

Asset investigator

Creating Assets csv file correlating logs from dhcp and Cisco ISE

How many resources would I need to receive 150 GB per day?

Need assistance with ES error after upgrade from 5.2.2 to 5.3

Example of "adaptive response action" execute error

Join command working

Wildcard for domain search

Splunk Enterprise Security requires a deployment client, but should I configure my ES search head as a deployment client?

How to use "nodename" in tstats

Notables are not getting created

Which are the Best Recommended Splunk ES Webinars ?

ERROR ConfReplicationThread - Content Length too large , csv

Splunk Enterprise Security upload app

Meraki Syslog events to TA-meraki are not showing up in ESS

To detect if Local admin account has been used to logon to a system

Custom Bar Chart Colours Not Working

LDAP query for identities for Enterprise Security

Setting alias for multivalued field for ES/CIM compliance

Correlation search - Stream events

Dynamically populate search dashboard after transaction

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Asset Identity Framework subnet does not match ip-...

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions